SonicWall has alerted its customers to a security incident involving its MySonicWall cloud backup service. Threat actors gained unauthorized access to firewall configuration backup files for a small percentage of users, potentially exposing sensitive data that could aid in future attacks. The company is strongly advising affected customers to reset credentials and implement specific security measures to mitigate risks.

Key Takeaways

• SonicWall's cloud backup service for firewalls was targeted by brute-force attacks.

• Firewall configuration backup files for under 5% of customers were accessed.

• While credentials in the files were encrypted, the data could facilitate firewall exploitation.

• SonicWall is urging customers to reset passwords, TOTPs, and VPN keys, and to review firewall configurations.

Breach Details and Impact

SonicWall recently identified suspicious activity within its cloud backup service for firewalls. This activity led to unauthorized access by unknown threat actors to backup firewall preference files stored in the cloud. The company stated that less than 5% of its customer base was affected by this breach. Although the credentials contained within these backup files were encrypted, the information present could potentially make it easier for attackers to exploit the corresponding firewalls.

SonicWall's Response and Recommendations

SonicWall has emphasized that this was not a ransomware event targeting its network but rather a series of brute-force attacks aimed at obtaining these preference files for potential future malicious use. The company is not aware of any of the accessed files being leaked online by the threat actors.

To address the incident, SonicWall is urging all customers to take the following steps:

• Log in to MySonicWall.com and verify if cloud backups are enabled.

• Check if any of their affected serial numbers have been flagged within their account.

• Initiate containment and remediation procedures, which include limiting service access from the WAN, disabling management access via HTTP/HTTPS/SSH, turning off SSL VPN and IPSec VPN access, resetting passwords and Time-based One-Time Passwords (TOTPs) saved on the firewall, and reviewing logs for unusual activity.

Additionally, affected customers have been advised to import new preference files provided by SonicWall. These new files feature randomized passwords for local users, reset TOTP bindings, and randomized IPSec VPN keys. Customers are cautioned to only use these files if they represent their desired settings and to perform the import during a maintenance window, as it will cause an immediate firewall reboot.

Broader Context of SonicWall Security

This incident occurs amidst ongoing threats targeting SonicWall devices. Notably, threat actors affiliated with the Akira ransomware group have been exploiting a year-old security flaw (CVE-2024-40766) in unpatched SonicWall devices to gain initial access to networks. Recent reports have detailed how these actors have leveraged exposed recovery codes for security software to bypass multi-factor authentication and disable endpoint protections, highlighting the critical importance of securing all sensitive credentials and access methods.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• SonicWall Urges Password Resets After Cloud Backup Breach Affecting Under 5% of Customers, The Hacker News.

• SonicWall says attackers compromised some firewall configuration backup files, Help Net Security.